QualPwn Bugs in Qualcomm chips could allow hacking Android Over the Air

Researchers discovered two serious flaws, QualPwn bugs, in Qualcomm’s Snapdragon SoC WLAN firmware that could be exploited to hack Android device over the air.

Security experts at Tencent Blade, the security elite unit at Tencent, have discovered two severe vulnerabilities, QualPwn bugs, that could “allow attackers to compromise the Android Kernel over-the-air.

“QualPwn is a series of vulnerabilities discovered in Qualcomm chips. One of the vulnerabilities allows attackers to compromise the WLAN and Modem over-the-air. The other allows attackers to compromise the Android Kernel from the WLAN chip.” reads the security advisory published by the experts. “The full exploit chain allows attackers to compromise the Android Kernel over-the-air in some circumstance.”

The over-the-air attack could be launched when the attacker and the target share the same WiFi network, this specific attack doesn’t require user interaction.

The QualPwn bugs affect Qualcomm’s Snapdragon 835 and the 845 WLAN component.

The first vulnerability, tracked as CVE-2019-10538 is a buffer overflow that impacts the Qualcomm WLAN component and the Android Kernel.

The flaw was rated as a high severity issue, it was addressed with a code fix in the Android operating system source code.

The second flaw, tracked as CVE-2019-10540, is a buffer overflow issue that affects the Qualcomm WLAN and modem firmware that ships with Qualcomm chips. According to the Qualcomm’s security advisory the CVE-2019-10540 flaw affects many chipsets, including: IPQ8074, MSM8996AU, QCA6174A, QCA6574AU, QCA8081, QCA9377, QCA9379, QCS404, QCS405, QCS605, SD 636, SD 665, SD 675, SD 712, SD 710, SD 670, SD 730, SD 820, SD 835, SD 845, SD 850, SD 855, SD 8CX, SDA660, SDM630, SDM660, and SXR1130.

The vulnerability received a critical severity rating and was addressed with a code fix in Qualcomm’s closed-source firmware that ships on a limited set of devices.

Experts explained that they didn’t test all the Qualcomm chips, but only the Google Pixel2 and Pixel3 devices and verified that unpatched devices running on Qualcomm Snapdragon 835,845 may be vulnerable.

Tencent Blade said they discovered the bugs on their own, and that they haven’t seen any public exploitation attempts, to their knowledge.

Tencent Blade researchers will provide technical details about the QualPwn bugs and their exploitation at the Black Hat USA 2019 security conference and the DEFCON 27 security conference.

The good news is that the Android Security Bulletin for August 2019 addresses both QualPwn bugs.

Qualcomm has already issued fixes to OEMs, and is encouraging end-users to update their devices as patches become available from OEMs.

Unfortunately, a large number of devices will remain vulnerable for a long time because for different reasons that will not be eligible for updates from the vendor. Another aspect to consider is that not all vendors will push the Android update as soon as Google releases it.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – QualPwn bugs, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]